Restiriction and white list not working good

[iincitr]

Hi

For a long time I pull my hair.

I define a single pc mac address to full stop go to internet via restiricition menu but some exception some education URL

When ever define even for one pc restiriction all pc on my network blocked to internet. And the white list not worked even

Thank you

[Lantis]

Please list which exact version you are using, and show what settings you are using.

[iincitr]

1.11.x
1.11.X (Built 20181210-0904 git@477ea871)


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option block_static_ip_mismatches '1'
option force_router_dns '1'
option enforce_dhcp_assignments '1'

config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option src 'wan'
option proto 'igmp'
option target 'ACCEPT'

config rule
option src 'wan'
option proto 'udp'
option dest 'lan'
option dest_ip '224.0.0.0/4'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fe80::/10'
option src_port '547'
option dest_ip 'fe80::/10'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'
option reload '1'

config include
option type 'script'
option path '/usr/lib/gargoyle_firewall_util/gargoyle_additions.firewall'
option family 'IPv4'
option reload '1'

config include 'openvpn_include_file'
option path '/etc/openvpn.firewall'
option reload '1'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config remote_accept 'ra_443_443'
option local_port '443'
option remote_port '443'
option proto 'tcp'
option zone 'wan'

config remote_accept 'ra_80_80'
option local_port '80'
option remote_port '80'
option proto 'tcp'
option zone 'wan'

config remote_accept 'ra_22_22'
option local_port '22'
option remote_port '22'
option proto 'tcp'
option zone 'wan'

config restriction_rule 'rule_3'
option is_ingress '0'
option description 'Cuma gunu'
option not_local_addr 'd0:a6:37:92:19:2b,2C:8A:72:B8:7D:17'
option active_weekdays 'fri'
option active_hours '10:00-15:00,20:00-21:30,22:00-00'
option enabled '0'

config restriction_rule 'rule_4'
option is_ingress '0'
option description 'Gece Yasak 0:30 06:00'
option active_hours '00:30-06:00'
option enabled '0'

config restriction_rule 'rule_6'
option is_ingress '0'
option description 'herzaman internet yok'
option local_addr '88:51:FB:20:2B:88'
option enabled '1'

config restriction_rule 'rule_7'
option is_ingress '0'
option description 'GECE 02 :00 --- 06:00 ARASI ACIK'
option local_addr '04:F1:3E:7E:0B:32'
option active_weekdays 'sun,mon,tue,wed,thu,fri,sat'
option active_hours '08:00-00:00,00:01-02:00'
option enabled '0'

config restriction_rule 'rule_8'
option is_ingress '0'
option description 'apple update block'
option local_addr '04:F1:3E:7E:0B:32'
option active_hours '00:00-02:10,08:00-23:59'
option proto 'both'
option url_exact '"mesu.apple.com","appldnld.apple.com"'
option enabled '0'

config restriction_rule 'rule_5'
option is_ingress '0'
option description 'cumartesi pazar'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21'
option active_weekdays 'sun,sat'
option active_hours '10:00-15:00,17:00-22:00'
option enabled '0'

config restriction_rule 'rule_2'
option is_ingress '0'
option description 'pazar gunu'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21'
option active_weekdays 'sun'
option active_hours '10:30-16:00,17:00-22:30'
option enabled '0'

config restriction_rule 'rule_10'
option is_ingress '0'
option description 'tabletler'
option local_addr '192.168.5.177'
option enabled '0'

config restriction_rule 'rule_1'
option is_ingress '0'
option description 'genel yasak'
option local_addr '60:36:DD:63:E1:83,88:9B:39:D9:84:21,192.168.5.177'
option active_weekdays 'mon,tue,wed,thu'
option active_hours '17:30-19:00,20:30-23:45'
option enabled '1'

config whitelist_rule 'exception_1'
option is_ingress '0'
option description 'herzaman'
option local_addr '88:51:FB:20:2B:88,60:45:BD:DF:EE:CC,00:1B:77:41:9C:AA,D0:A6:37:92:19:2B'
option enabled '1'

config whitelist_rule 'exception_2'
option is_ingress '0'
option description 'All device'
option remote_addr '31.13.64.50/31,31.13.65.48/31,31.13.66.48/31,31.13.67.51/32,31.13.67.52/32,31.13.68.50/32,31.13.68.52/32,31.13.69.240/32,31.13.69.242/32,31.13.70.48/31,31.13.71.48/31,31.13.72.49/32,31.13.72.52/32,31.13.73.48/31,31.13.74.48/31,31.13.75.49/32,31.13.75.52/32,31.13.76.80/31,31.13.77.48/31,31.13.78.51/32,31.13.78.53/32,31.13.80.50/32,31.13.80.53/32,31.13.81.50/32,31.13.81.53/32,31.13.82.48/32,31.13.82.51/32,31.13.83.48/32,31.13.83.51/32,31.13.84.48/32,31.13.84.51/32,31.13.85.48/32,31.13.85.51/32,31.13.86.48/32,31.13.86.51/32,31.13.87.50/31,31.13.88.49/32,31.13.90.48/32,31.13.90.51/32,31.13.91.48/32,31.13.91.51/32,31.13.92.50/32,31.13.92.52/32,31.13.93.48/32,31.13.93.51/32,31.13.94.50/32,31.13.94.52/32,31.13.95.63/32,50.22.198.204/30,50.22.210.32/30,50.22.210.128/27,50.22.225.64/27,50.22.235.248/30,50.22.240.160/27,50.23.90.128/27,50.97.57.128/27,75.126.39.32/27,108.168.174.0/27,108.168.176.192/26,108.168.177.0/27,108.168.180.96/27,108.168.254.65/32,108.168.255.224/32,108.168.255.227/32,157.240.0.48/32,157.240.0.53/32,157.240.1.51/32,157.240.1.53/32,157.240.2.51/32,157.240.2.53/32,157.240.3.51/32,157.240.3.53/32,157.240.6.51/32,157.240.6.53/32,157.240.7.51/32,157.240.7.54/32,157.240.8.51/32,157.240.8.53/32,157.240.9.51/32,157.240.9.53/32,157.240.10.51/32,157.240.10.53/32,157.240.11.51/32,157.240.11.53/32,157.240.12.51/32,157.240.12.53/32,157.240.13.51/32,157.240.13.54/32,157.240.14.51/32,157.240.14.52/32,157.240.15.53/32,157.240.16.51/32,157.240.16.52/32,157.240.17.51/32,157.240.17.53/32,157.240.18.51/32,157.240.18.52/32,157.240.20.51/32,157.240.20.52/32,157.240.21.51/32,157.240.21.52/32,158.85.0.96/27,158.85.5.192/27,158.85.46.128/27,158.85.48.224/27,158.85.58.0/25,158.85.61.192/27,158.85.224.160/27,158.85.233.32/27,158.85.249.128/27,158.85.254.64/27,169.44.23.192/27,169.44.36.0/25,169.44.57.64/27,169.44.58.64/27,169.44.80.0/26,169.44.82.96/27,169.44.82.128/27,169.44.82.192/26,169.44.83.0/26,169.44.83.96/27,169.44.83.128/27,169.44.83.192/26,169.44.84.0/24,169.44.85.64/27,169.44.87.160/27,169.44.167.0/27,169.45.71.32/27,169.45.71.96/27,169.45.87.128/26,169.45.169.192/27,169.45.182.96/27,169.45.210.64/27,169.45.214.224/27,169.45.219.224/27,169.45.237.192/27,169.45.238.32/27,169.45.248.96/27,169.45.248.160/27,169.46.52.224/27,169.46.111.144/28,169.47.5.192/26,169.47.6.64/27,169.47.33.128/27,169.47.35.32/27,169.47.37.128/27,169.47.40.128/27,169.47.42.96/27,169.47.42.160/27,169.47.42.192/26,169.47.47.160/27,169.47.130.96/27,169.47.145.0/26,169.47.192.192/27,169.47.194.128/27,169.47.198.128/27,169.47.212.160/27,169.53.29.128/27,169.53.48.32/27,169.53.71.224/27,169.53.81.64/27,169.53.250.128/26,169.53.252.64/27,169.53.255.64/27,169.54.2.160/27,169.54.44.224/27,169.54.51.32/27,169.54.55.192/27,169.54.193.160/27,169.54.210.0/27,169.54.222.128/27,169.55.60.148/32,169.55.60.170/32,169.55.67.224/27,169.55.69.128/26,169.55.74.32/27,169.55.75.96/27,169.55.100.160/27,169.55.126.64/26,169.55.210.96/27,169.55.235.160/27,169.63.64.128/28,173.192.162.32/27,173.192.219.128/27,173.192.222.160/27,173.192.231.32/27,173.193.205.0/27,173.193.230.96/27,173.193.230.128/27,173.193.230.192/27,173.193.239.0/27,174.36.208.128/27,174.36.210.32/27,174.36.251.192/27,174.37.199.192/27,174.37.217.64/27,174.37.243.64/27,174.37.251.0/27,179.60.192.48/32,179.60.192.51/32,179.60.193.51/32,179.60.193.52/32,179.60.195.48/32,179.60.195.51/32,184.173.136.64/27,184.173.147.32/27,184.173.161.64/32,184.173.173.116/32,184.173.179.32/27,185.60.216.51/32,185.60.216.53/32,185.60.218.51/32,185.60.218.53/32,185.60.219.51/32,185.60.219.53/32,192.155.212.192/27,198.11.193.182/31,198.11.251.32/27,198.23.80.0/27,208.43.115.192/27,208.43.117.79/32,208.43.122.128/27'
option remote_port '53'
option proto 'both'
option url_domain_contains '"eba.gov.tr","whatsapp.net","whatsapp.com","google.com"'
option enabled '1'

[Lantis]

Well, that's one of the biggest rules i've seen. I'm not really surprised it doesn't work. I think you might be misinterpreting how the rules should be structured.

Let's go back to basics.

What exactly are you trying to block, and for whom?
And what made you come up with the rules you have created?
Where do all of those IPs come from?

[iincitr]

Hi

Actualy rule contais JUST whatsapp IP Address.

In my location there is almost 15 device Phone, SmartTVs, Tablet and PC

Mainly two groups.

One Always on web.

The other belongs time restiriction rules and works PERFECTLY.( Thank you again this property) .

What I want to do: The second group when the time of no internet, they may use whatsapp and some unblocked URL ( Thatis WhiteLsit)

This is the only req.

Thank you

[iincitr]

Hi Any help ?

[Lantis]

I have not had time to look yet, but it is on my list of things to do.

[Lantis]

Your request is complicated to setup, and even more so to explain.
To achieve what you require, you need to create two rules.

Rule 1 - Block_all_except_certain_websites
What does it do? Allows the specified devices access to everything, but during certain hours, only allows them to get access to certain websites.
Only change the Website URL(s) to "Block All Except", then use the "Domain Contains" and enter your 4 domains.

Rule 2 - Block_all_except_certain_ips
What does it do? Allows the specified devices access to everything, but during certain hours, only allows them access to certain IP addresses
Only change the Remote IP(s) to "Block All Except", then enter your list of IPs.
NOTE: You will also need to add the IP address for google, whatsapp and eba websites to this list, or you won't get to them. It may also be necessary to list your DNS server.

It is important to remember what when you are trying to do IP blocking AND website blocking, that websites are just IP addresses with fancy names. You need to be careful or you will get unexpected results.

The end result is the following set of logic:
-- STAGE 1 --
IF the packets come from the listed devices AND they are destined for the listed IPs, let them through to stage 2
IF they packets come from the listed devices AND they are NOT destined for the listed IPs, block them
IF the packets come from ANY OTHER DEVICE, let them through to stage 2
-- STAGE 2 --
IF the packet is a HTTP(S) request AND it is destined for one of the listed websites AND it comes from the listed devices, let them through
IF the packet is a HTTP(S) request AND it is NOT destined for one of the listed websites AND it comes from the listed devices, block them
IF the packet is a HTTP(S) request AND it is destined for ANY website AND it does NOT come from a listed device, let them through

[uncle john]

All posts I've seen about whitelisting deal with situation where MAC/IP addresses have already been assigned and then rules are assigned to those specific addresses.
I'm dealing with a case where access to the WLAN is open. In this situation all anonymous clients would only have access to 2 or three domains. Can Gargoyle handle this situation?

[Lantis]

All known hosts should be mapped. Then you can use the "All Hosts Except" options to rule them out of any restrictions